One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

The block chain security problem, Beosin (Chengdu chain technology) team every week will be a serial intelligent contract security vulnerability analysis, hoping to help programmers write more secure contracts, nip in the bud.

Introduction: “the mind, the more into the more resistance, no end.” – 43 – Tan “benevolence”

previously on

Speaking on the back of the official standard, well intentioned, written compliance should not be underestimated.

We concluded the analysis and summary of Ethernet Intelligent contract loopholes, Fang conventional high-risk vulnerabilities with 15 period. Throughout the history of the development of ecological security of the etheric Fang, there are too many lessons worth remembering and pain. Relevant statistics, block chain industry lead to security incidents in 30% of property losses caused by the intelligent contract loopholes. So in accordance with the standard of using Ethernet Fang development language, correct writing each line of code is the basic requirement of contract, guarantee the safety of contract. Advocate on chain pre contract audit, to ensure that the project is safe to sail, we sincerely recommend to developers and project.

This issue

EOS game by hands, random number of vulnerabilities lvjinbujue.

In addition to the etheric square, block chain platform EOS is currently more popular. EOS is also a smart contract and block chain structures based on, and in the game and the DApp field, due to the absence of transaction costs and processing ability, EOS has inherent advantages in technology and design concept. However, coincidentally, the security problem of EOS intelligent contracts also emerge in an endless stream. This time we use the new EOS game attacks to analyze EOS intelligent contract loopholes.

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

Attack history

EOSDice was first attack

On November 4, 2018 at 3:15 in the morning to start the EOSDice contract is account jk2uslllkjfd attack, an attacker stealing about 2500 EOS and recharge into the fire.

EOSDice second attack:

On November 10th at 11:19 in the morning, coinbasewa11 account once again attacked the EOSDice game, stealing 4900 EOS into the bitfinex exchange, this account for a 95 attack on the game of contract, attack process can be retrieved.

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

  The problem of random number generation

As we mentioned in the sixth game contract loopholes, until now, the etheric Fang and EOS official did not provide a random number interface, this is indeed an adverse effect on the game development, such as the development of the lottery module. In order to achieve a similar function, game developers need to write your own random number generator function, these functions often use block information as a parameter, and then a series of operations, to obtain a “random number”. However, due to the use of block information as a parameter, which will result in the same block, random number function will use the same algorithm to get the same value, the attacker can use this deployment, intermediate contract, and then stop the attempt to generate random numbers, random number generation when satisfied, then using the intermediate contract in the game and affect the fairness of the game. We call this kind of random number problem called “pseudo random number of vulnerabilities”.

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

Analysis of EOSDice pseudo random number of vulnerabilities

Since EOSDice raised the alert for the first time after the attack, and to modify the random number generation algorithm, so we analyzed two times.

Analysis of the first attack:

The EOSDice contract open source, we mainly look at the random function of the contract, the contract is copied from the random function is another EOS implementation of contract.

The random factor using the random function in the main:

1. (tapos_block_prefix) of the refer block trading information

2. tapos_block_num (refer) of the transaction information block

3. name (user name)

4. game_id (increment)

5. (current_time) (current time)

6. pool_ol_eos.amount (current contract balance)

The random block depends mainly on the refer (refer block) information and the current time, the balance of contract information.

In this game, the lottery time can be calculated according to the delay time, the balance of information in only one user access can also be calculated according to the;

Then the only factor of uncertainty only refer block information.

In the actual game execution logic lottery is derived from reveal action action deferred action on action refer block, the information is not specified by the user, but by the EOS chain to the specified code, see:


 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

After the actual test, refer block deferred action information for a block of information before the execution of the current action, indicated as below:

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

So, in fact, the use of lottery when tapos_block_prefix (actually) before betting has been generated, then combined with the prediction of time and balance, it can predict the lottery results; according to the analysis of transactions, eosdice was first attack is likely to use such kind of attacks.

Analysis of the second attack:

Here to introduce a little knowledge of EOS:

When EOS transfers, EOSIO.Token will notify from and to accounts, but is the first implementation of notification to the from account, as shown below:

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

EOS in the first time after the attack, the modified algorithm of generating random number random number, we see a revised really random. The formula to calculate the random number as shown in fig.:

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities


Using the knowledge transfer notice mentioned above, the game started to receive the contract on Transfer Notice of their logic, deferred action:reveal1 reveal1 deferred trigger, action:reveal trigger lottery prizes; then in the lottery (reveal) refer block information is adopted on transfer action’s block information, can not predict;

But the revised random function of random in EOSDice, this function is also used to balance the random factor. The attacker can transfer in her own after receiving EOS transfer notice, and simulated with EOSDice the same defered action:defered2, then defered2 defered action:defered trigger;

After this some operations, while defered and reveal is the attacker’s game contracts in the same block (block) in operation. You can modify the balance of amount random factor in the calculation of random in defered (amount+x) value, to meet the conditions for their bets. Note that this calculation value requires a collision test to guess.

The attacker then to the random factors into account for amount x EOS; then when running to reveal when the lottery, you can make yourself surely winning. The whole process of attack can be summarized in the following chart:

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities

And after analyzing the attack before the transaction, can determine the attacker using the attack is to control the balance of the random factor in the;

Bug fixes

Use the parameters like tapos_block_num may cause pseudo random number of vulnerabilities, including the balance of EOS and head_block_id, the characteristics of these parameters is having certain controllability.

If you need to use tapos_block_preifx as a random factor, can be a defered action multi jump performed before the lottery reveal implementation, to ensure access to the information generated in the block lottery betting, so tapos_block_prefix is unpredictable.

Pseudo random, true loopholes

EOS and Ethernet square using different technologies and design concepts, such as:

1. Ethernet is designed for the square for all may be established on the basis of the application of neutral platform, and EOS provides some functions such as encryption and block chain tools, more friendly to application developers.

The difference between the two consensus mechanism 2., compared to the etheric Fang used PoW, the DPoS mechanism of EOS is similar to the board of directors mechanism.

3. Ethernet CPU single thread performance limits by the workshop, the network transaction speed is only about 10 times per second, but also need to provide each transaction fee. Parallel EOS technology solves the problem of the speed of transactions, and remove fee.

The characteristics of EOS, especially the third characteristics decided on the basis of the game can satisfy the low delay, smooth interactive demand, application demand at the same time to handle business class. This is why EOS used in many aspects of the game. But as with Ethernet square, EOS official did not provide the corresponding random number generation function. The authorities have recommended users to use Ethernet square chain Oraclize library to generate random numbers.

Random number EOS is still a developers headache problem, not yet the end of November, EOS DApp has appeared three times according to the random number of vulnerability attack event, in solving the issue of random numbers, the need of a reliable solution. Hope that the majority of DApp developers are currently no reliable solutions, relying on existing experience and security audit, it will contract the pseudo random repair is “true” random, let EOS DApp interesting, fair and reliable.

 One foot in mind the random number attack | pseudo-random number in EOS vulnerabilities Quote´╝Ü

[1]: what is the difference between EOS and Ethernet fang:


[2]: play dice game EOS:


[3] SKR: the game ended in sixth instalments – game contract loopholes loopholes and comprehensive summary | Chengdu chain security vulnerability analysis:


Leave a Reply

Your email address will not be published. Required fields are marked *